From owner-freebsd-security  Mon Jul 28 04:31:41 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id EAA24268
          for security-outgoing; Mon, 28 Jul 1997 04:31:41 -0700 (PDT)
Received: from onyks.wszib.poznan.pl (onyks.wszib.poznan.pl [150.254.154.240])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id EAA24260
          for <security@FreeBSD.ORG>; Mon, 28 Jul 1997 04:31:33 -0700 (PDT)
Received: from localhost (loco@localhost)
	by onyks.wszib.poznan.pl (8.8.6/8.8.5) with SMTP id NAA00437;
	Mon, 28 Jul 1997 13:30:18 GMT
Date: Mon, 28 Jul 1997 13:30:11 +0000 (GMT)
From: Tomasz Dudziak <loco@onyks.wszib.poznan.pl>
To: Vincent Poy <vince@mail.MCESTATE.COM>
cc: security@FreeBSD.ORG, "[Mario1-]" <mario1@PrimeNet.Com>,
        JbHunt <johnnyu@accessus.net>
Subject: Re: security hole in FreeBSD
In-Reply-To: <Pine.BSF.3.95.970728031228.3844A-100000@mail.MCESTATE.COM>
Message-ID: <Pine.BSF.3.96.970728132413.397A-100000@onyks.wszib.poznan.pl>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----



On Mon, 28 Jul 1997, Vincent Poy wrote:

> Greetings,
> 
> 	We're had a hacker on two of our FreeBSD -current machines who
> hacked the machine as root.  
> 
> The symptoms are as follows:
> 1) User on mercury machine complained about perl5 not working which was
> perl5.003 since libmalloc lib it was linked to was missing.
> 2) I recompiled the perl5 port from the ports tree and it's perl5.00403
> and it works.
> 3) User hacks earth when he doesn't even have a account on the machine
> and can login to the machine remotely as root when rlogin and telnet
> wouldn't allow it.  
> 4) User is invisible in w, finger, who, users and can only be seen using
> ps -agux on a pty so I killed the process.
> 5) User changes hostnames even in a netstat output so it's all garbage
> 6) We went to inetd.conf and shut off all daemons except telnetd and 
> rebooted and user still can get onto the machine invisibly.
> 7) User shuts down the machine and changes root password
> 
> 	Saw the user on irc posting the password of earth with the login
> name root.  Any ideas?
> 
> 
> Cheers,
> Vince - vince@MCESTATE.COM - vince@GAIANET.NET           ________   __ ____ 
> Unix Networking Operations - FreeBSD-Real Unix for Free / / / / |  / |[__  ]
> GaiaNet Corporation - M & C Estate                     / / / /  | /  | __] ]  
> Beverly Hills, California USA 90210                   / / / / / |/ / | __] ]
> HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]
> 
> 
> 
> 

Well it is possible that he has recompiled /usr/bin/login for example.
Something like:
if(strcmp(username, "blahblah")==0)
{
setuid(0);
setgid(0);
system("/bin/sh");
}
inserted does the job. You are then invisible to w and others... bot not
netstat i think...
There was a security hole some time ago in perl that allowed local users
to gain root access... That's probably the way he got root access...
I would check my binaries, sup and recompile.
greetings,
Tomasz Dudziak

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQB1AwUBM9ye6gQ/iaB0xTA5AQHMewL+NGZQhiQG0Q4ccSbNmAAGaJYQfRDUl9Jn
yb0c+6lP2AW6Om3VhSMFbxlpCgm+wPbrhb2FzwvA8Ad9ELErDdWqIsXGLFa46Gw/
ogLqhFgghp+6aAWTwjWYf0J5qWD7iIIn
=sbe9
-----END PGP SIGNATURE-----